CINXE.COM

<!DOCTYPE html> <html class="ltr" dir="ltr" lang="en"> <head> <title class="desc-title">Worm:W32/Swen | F-Secure Labs</title> <meta content="f-secure,fsecure,threat,threats,malware,virus,trojan,spyware,adware,pua,technical details,removal instructions" name="keywords"/> <meta content="Technical details and removal instructions for programs and files detected by F-Secure products." name="description"/> <meta charset="utf-8" content="IE=edge" http-equiv="X-UA-Compatible"/> <meta content="width=device-width, initial-scale=1" name="viewport"/> <meta content="https://assets.f-secure.com/i/opengraph/f-secure.jpg" property="og:image"/> <link href="css/favicon.ico" rel="Shortcut Icon" type="image/x-icon"/> <!--[if lt IE 9]> <link href="https://www.f-secure.com/documents/styleguide5/css/00-fs-icons-v1.1.3-legacy.min.css" rel="stylesheet" /> <link href="https://www.f-secure.com/documents/styleguide5/css/01-fs-bootstrap-v1.3.2-legacy-min.css" rel="stylesheet" /> <link href="https://www.f-secure.com/documents/styleguide5/css/02-fs-helpers-v1.3.2-legacy-min.css" rel="stylesheet" /> <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script> <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script> <![endif]--> <!--[if !IE]><!--> <link href="css/fs-bootstrap.min.css" rel="stylesheet"/> <link href="css/fs-components-v1.4.0-min.css" rel="stylesheet"/> <link href="css/td.min.css" rel="stylesheet"/> <script src="css/jquery-3.7.1.min.js"></script> <script src="css/td-templates.min.js"></script> <script async="" src="https://www.googletagmanager.com/gtag/js?id=G-84EXLXMFY5&amp;l=fsData&amp;cx=c" type="text/javascript"></script> <!--<![endif]--> <!--[if lte IE 9]> <script src="https://www.f-secure.com/documents/styleguide5/js/lib/00-jquery-1.12.4.min.js"></script> <![endif]--> <script id="fsdatalayer"> fsData = [ { page: { pageInfo: { pageName: "Worm:W32/Swen", geoRegion: "en", language: "en", }, category: { primaryCategory: "community", subCategory1: "threat descriptions", subCategory2: "sw-desc", }, }, }, ]; </script> <!-- Google Tag Manager --> <script> (function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ "gtm.start": new Date().getTime(), event: "gtm.js" }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != "dataLayer" ? "&l=" + l : ""; j.async = true; j.src = "https://www.googletagmanager.com/gtm.js?id=" + i + dl; f.parentNode.insertBefore(j, f); })(window, document, "script", "fsData", "GTM-NHD5NN9"); </script> <!-- End Google Tag Manager --> </head> <body> <noscript> <div class="alert alert-warning remove-margin text-center" role="alert"> <strong> Javascript is disabled in your web browser </strong> <p> For full functionality of this site it is necessary to enable JavaScript. Here are the <a href="https://www.enable-javascript.com/" target="_blank"> instructions how to enable JavaScript in your web browser </a> . </p> </div> </noscript> <!--[if lte IE 8]> <div class="alert alert-warning m-b-0"> <div class="container"> <div class="row"> <div class="col-xs-12"> <a href="#" data-dismiss="alert" class="pull-right"> <img src="https://www.f-secure.com/documents/assets/ie8/images/icon-close.png" /> </a> </div> <div class="col-xs-12 col-sm-1"> <img src="https://www.f-secure.com/documents/assets/ie8/images/icon-notification-78.png" class="hidden-sm hidden-xs" /> <img src="https://www.f-secure.com/documents/assets/ie8/images/icon-notification-52.png" class="hidden-md hidden-lg" /> </div> <div class="col-xs-12 col-sm-11"> <h3 class="m-a-0">Your browser is out of date</h3> <p class="m-b-0"> You are using an older version of <strong>Internet Explorer</strong> with known security issues. This version does not work well with a large number of modern websites. </p> <p> Please update your browser to the latest version, or use other browser to ensure you get the best experience on our website. </p> <a class="btn btn-default m-b-1 m-r-1" href="https://support.microsoft.com/en-us/help/17621/internet-explorer-downloads" target="_blank" >Update browser</a > <a class="btn btn-default m-b-1 m-r-1" href="https://www.google.com/chrome/browser/" target="_blank" >Download Chrome</a > <a class="btn btn-default m-b-1" href="https://www.mozilla.org/en-US/firefox/" target="_blank" >Download Firefox</a > </div> </div> </div> </div> <div class="modal fade in" id="ie8WarningModal" tabindex="-1" role="dialog" aria-labelledby="ie8WarningModalLabel" > <div class="modal-dialog"> <div class="modal-content"> <div class="modal-body text-center p-x-2"> <a href="#" data-dismiss="modal" class="pull-right" style=" position: absolute; padding: 18px; right: 0; top: 0; margin: 0; " > <img src="https://www.f-secure.com/documents/assets/ie8/images/icon-close.png" /> </a> <img src="https://www.f-secure.com/documents/assets/ie8/images/icon-notification-104.png" /> <h2 class="m-t-0" id="ie8WarningModalLabel"> Your browser is out of date </h2> <p class="text-secondary"> You are using an older version of <strong>Internet Explorer</strong> with known security issues. This version does not work well with a large number of modern websites. </p> <p class="text-secondary m-b-3"> Please update your browser to the latest available version, or use other browsers for better security and performance. </p> <a class="btn btn-default m-b-1" href="https://support.microsoft.com/en-us/help/17621/internet-explorer-downloads" target="_blank" >Update browser</a > <br /> <a class="btn btn-default m-b-1" href="https://www.google.com/chrome/browser/" target="_blank" >Download Chrome</a > <a class="btn btn-default m-b-1" href="https://www.mozilla.org/en-US/firefox/" target="_blank" >Download Firefox</a > </div> </div> </div> </div> <script src="https://www.f-secure.com/documents/assets/ie8/js/ie8-warning.js"></script> <![endif]--> <div id="wrapper"> <header id="header"></header> <section id="desc-intro"> <div class="container"> <div class="row"> <div class="col-xs-12"><a class="breadcrumb home" href="https://www.f-secure.com/en"></a><a class="breadcrumb last" href="https://www.f-secure.com/v-descs/index.shtml"><span>Threat Descriptions</span></a> </div> </div> <div class="row"> <div class="col-xs-12 p-t-4 p-b-3"> <h1 class="desc-name">Worm:W32/Swen</h1> </div> </div> </div> <div class="bg-gray-1"> <div class="container"> <div class="row"> <div class="col-xs-12"> <div class="col-xs-12 m-y-2 p-x-1 classification-table"> <h6 class="text-bold p-b-2">Classification</h6> <div class="col-md-4 p-l-0"> <p class="classification-field"> <a href="https://www.f-secure.com/v-descs/guides/classification-guide.shtml"> Category </a> : </p> <p class="desc-category">Malware</p> </div> <div class="col-md-4 p-l-0"> <p class="classification-field"> <a href="https://www.f-secure.com/v-descs/guides/classification_guide.shtml#type"> Type </a> : </p> <p class="desc-type">Worm</p> </div> <div class="col-md-4 p-l-0"> <p class="classification-field"> <a href="https://www.f-secure.com/v-descs/guides/classification_guide.shtml#platform"> Platform </a> : </p> <p class="desc-platform">W32</p> </div> <div class="col-md-12 p-l-0"> <p class="classification-field"> <a href="https://www.f-secure.com/v-descs/guides/terminology.shtml#a&amp;alias"> Aliases </a> : </p> <p class="desc-aliasses">Worm:W32/Swen</p> </div> </div> </div> </div> </div> </div> </section> <section id="summary"> <div class="container"> <div class="row"> <div class="col-xs-12 p-y-2 m-b-2"> <h3 class="text-bold lead">Summary</h3> <div class="desc-summary"> <p> Swen is a <a href="https://www.f-secure.com/v-descs/worm.shtml">worm</a> that replicates via email, local network (LAN), IRC and Kazaa. It uses a vulnerability in Internet Explorer to execute directly from email. </p> </div> </div> </div> </div> </section> <section id="removal"> <div class="container"> <div class="row"> <div class="col-xs-12 p-b-2"> <h3 class="text-bold lead">Removal</h3> <div class="accordion desc-removal" id="removaloptions"> <div class="card"> <div class="card-header" id="automatic-action"> <h2 class="mb-0"> <button aria-controls="collapseOne" aria-expanded="false" class="btn btn-link btn-block text-left" data-target="#automaticaction" data-toggle="collapse" type="button"> <span> Automatic action </span> </button> </h2> </div> <div aria-labelledby="headingOne" class="collapse" data-parent="#removaloptions" id="automaticaction"> <div class="card-body"> <p> Based on the <a href="https://help.f-secure.com/product.html#home/total-windows/latest/en/vsp_main-latest-en">settings</a> of your F-Secure security product, it will either move the file to the <span>quarantine</span> where it cannot spread or cause harm, or <span>remove</span> it. </p> </div> </div> <div class="card"> <div class="card-header" id="suspect-fp"> <h2 class="mb-0"> <button aria-controls="collapseTwo" aria-expanded="false" class="btn btn-link btn-block text-left collapsed" data-target="#suspectfp" data-toggle="collapse" type="button"> <span> Suspect a file is incorrectly detected (a False Positive)? </span> </button> </h2> </div> <div aria-labelledby="headingTwo" class="collapse" data-parent="#removaloptions" id="suspectfp"> <div class="card-body"> <p> A <a href="https://www.f-secure.com/v-descs/false_positive.shtml">False Positive</a> is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also: </p> <ul> <li> <p>Check for the latest database updates</p> <p> First check if your F-Secure security program is using the <a href="https://help.f-secure.com/product.html#home/total-windows/latest/en/task_438BAEED433241F492F28C2A11418548-latest-en">latest updates</a>, then try scanning the file again. </p> </li> <li> <p>Submit a sample</p> <p> After checking, if you still believe the file is incorrectly detected, you can <a href="https://www.f-secure.com/sas">submit a sample</a> of it for re-analysis. </p> <p> <span>Note: </span> If the file was moved to <span>quarantine</span>, you need to <a href="https://help.f-secure.com/product.html#home/total-windows/latest/en/task_758ED015BB8B4A89B6CE1F880DF825D0-latest-en">collect the file from quarantine</a> before you can submit it. </p> </li> <li> <p>Exclude a file from further scanning</p> <p> If you are certain that the file is safe and want to continue using it, you can <a href="https://help.f-secure.com/product.html#home/total-windows/latest/en/task_13205052E3D44C44BA2491A55A7F818F-latest-en">exclude it from further scanning</a> by the F-Secure security product. </p> <p> <span>Note: </span> You need administrative rights to change the settings. </p> </li> </ul> </div> </div> </div> </div> </div> </div> </div> </div> </section> <section id="technicaldetails"> <div class="container"> <div class="row"> <div class="col-xs-12 p-b-3 m-t-2 m-b-4"> <h3 class="text-bold lead">Technical Details</h3> <div class="desc-technicaldetails"> <p> Swen worm appeared on 18th of September 2003. It is most likely written by the author of Gibe worm (Begbie) and this worm has similar features as the latest Gibe variants. </p> <p> The worm's file is a Windows PE executable 106496 bytes long. It is not compressed by any file compressor. </p> <h3>Installation</h3> <p> When the worm's file is run, it checks whether it's already installed and if not, it copies its file to Windows directory with a random name (for example MLMHP.EXE) and creates a startup key for this file in the Registry: </p> <ul> <li> [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "[<span>random characters</span>]" = "[<span>random characters</span>].exe /autorun" </li> </ul> <p> where is the name of the worm's file. This way the worm's file is always started with Windows. If the worm is already installed on a computer, it shows the following messagebox: </p> <div class="img-box"> <img src="https://www.f-secure.com/v-pics/swen5.gif"/> </div> <p>Otherwise the worm shows the following messagebox:</p> <div class="img-box"> <img src="https://www.f-secure.com/v-pics/swen1.gif"/> </div> <p> If a user clicks 'No' button, the worm installs itself to system hiddenly. If a user clicks 'Yes' button, the worm shows a fake installation dialog: </p> <div class="img-box"> <img src="https://www.f-secure.com/v-pics/swen2.gif"/> </div> <p>and after some time it reports successful installation:</p> <div class="img-box"> <img src="https://www.f-secure.com/v-pics/swen3.gif"/> </div> <p> During installation the worm creates a batch file that has a name of an infected workstation. This batch file contains the following text: </p> <pre> @ECHO OFF IF NOT "%1"=="" [name].exe %1</pre> <p> where [name] is the name of the worm's executable file. The worm extracts the list of SMTP and NNTP servers from its body into the SWEN1.DAT file that is placed into Windows directory. </p> <p> Then the worm modifies default startup keys for BAT, SCR, EXE, REG and PIF files in the Registry: </p> <ul> <li>[HKCR\exefile\shell\open\command]</li> <li>[HKCR\regfile\shell\open\command]</li> <li>[HKCR\scrfile\shell\open\command]</li> <li>[HKCR\piffile\shell\open\command]</li> <li>[HKCR\batfile\shell\open\command]</li> <li>[HKCR\scrfile\shell\config\command]</li> </ul> <p> As a result, the worm gets control every time a user tries to run executable and registry files. Additionally the worm disables Registry tools by creating the following key: </p> <ul> <li> [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools" = dword:00000001 </li> </ul> <p> As a result a user will not be able to run Regedit utility and import REG files data. The worm will show the following messagebox in such case: </p> <div class="img-box"> <img src="https://www.f-secure.com/v-pics/swen4.gif"/> </div> <p>The numbers in this messagebox are randomly-generated.</p> <p>The worm creates a set of subkeys in the following key:</p> <ul> <li> [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] </li> </ul> <p> These subkeys contain information about SMTP server, user's email, key name of installed worm's file, name of infected computer user, name of a zip archive that the worm tries to create using WinZip, name of mIRC folder and some other data. During installation process the worm enables sharing for Kazaa client, copies itself several times into Kazaa shared folders and also replaces SCRIPT.INI file of mIRC client with the one that sends out the worm's file to every user joining a channel where an infected user is present. The worm also copies its file to startup folders of remote computers via network. </p> <h3>Propagation (local network)</h3> <p> The worm attempts to spread itself via local network (LAN). It looks for mapped network drives, accesses them and if it finds the following directories in the root folder: </p> <ul> <li>Win98</li> <li>Win95</li> <li>WinMe</li> <li>Windows</li> </ul> <p> it copies its file with a random name to the following folders: </p> <ul> <li>\%WinDir%\Start menu\Programs\Startup</li> <li> \Documents and Settings\All Users\Start menu\Programs\Startup </li> <li> \Documents and Settings\Administrator\Start menu\Programs\Startup </li> <li> \Documents and Settings\Default User\Start menu\Programs\Startup </li> <li>\Winnt\Profiles\All Users\Start menu\Programs\Startup</li> <li> \Winnt\Profiles\Administrator\Start menu\Programs\Startup </li> <li> \Winnt\Profiles\Default User\Start menu\Programs\Startup </li> </ul> <p> As a result remote computers will become infected with the worm after they are restarted. </p> <h3>Propagation (IRC)</h3> <p> The worm creates its own SCRIPT.INI file in mIRC installation folder. This script makes an IRC client send a file called 'WinZip installer.zip' to every user joining a channel where an infected user is present. </p> <h3>Propagation (Kazaa)</h3> <p> The worm modifies the Registry to enable sharing for Kazaa client, then it locates Kazaa shared folder and copies itself there with a generated name. The name is generated from the following strings: </p> <ul class="threecolumn-list"> <li>Kazaa Lite</li> <li>KaZaA media desktop</li> <li>KaZaA</li> <li>WinRar</li> <li>WinZip</li> <li>Winamp</li> <li>Mirc</li> <li>Download Accelerator</li> <li>GetRight FTP</li> <li>Windows Media Player</li> <li>key generator</li> <li>hack</li> <li>hacked</li> <li>warez</li> <li>upload</li> <li>installer</li> <li>Bugbear</li> <li>Yaha</li> <li>Gibe</li> <li>Sircam</li> <li>Sobig</li> <li>Klez</li> <li>remover</li> <li>removal tool</li> <li>cleaner</li> <li>fixtool</li> <li>AOL hacker</li> <li>Yahoo hacker</li> <li>Hotmail hacker</li> <li>10.000 Serials</li> <li>Jenna Jameson</li> <li>HardPorn</li> <li>Sex</li> <li>XboX Emulator</li> <li>Emulator PS2</li> <li>XP update</li> <li>XXX Video</li> <li>Sick Joke</li> <li>XXX Pictures</li> <li>My naked sister</li> <li>Hallucinogenic Screensaver</li> <li>Cooking with Cannabis</li> <li>Magic Mushrooms Growing</li> <li>Virus Generator</li> </ul> <p>These files can have EXE or ZIP extensions.</p> <h3>Propagation (E&gt;-mails and newsgroups)</h3> <p> The worm periodically scans HTML and ASP files on a hard drive and stores found email addresses in the GERMS0.DBV file located in Windows folder. The worm also reads .EML, .DBX, .WAB, and .MBX files and fetches email addresses from there. The worm does not fetch addresses containing 'delete' and 'spam' strings. </p> <p> The worm also can search for email addresses in various newsgroups. It connects to NNTP servers listed in the SWEN1.DAT file, gets a list of all newsgroups on that server and searches recent messages in these newsgroups for 'nfrom:' and 'nreply-to:' tags. When such tags are found, the worm gets email addressed after them and writes them to the GERMS0.DBV file. This way the worm can harvest a lot of email addresses to send itself to. </p> <p> The worm can post its emails to newsgroups, the names of which it finds during searching process. The worm sends the same kind of messages as it sends via email. </p> <p> The worm reads SMTP server address and user name from the Registry. However, if it can't find this info, it shows a fake MAPI error dialog asking a user to input that data: </p> <div class="img-box"> <img src="https://www.f-secure.com/v-pics/swen6.gif"/> </div> <p> The worm sends itself a very legitimately-looking messages that are composed from different text strings hardcoded in the worm's body. It also checks the current date and uses the current month inside the text of the email message. On that way it will spread with different messages each month of the year. Here is an example of such message sent in September: </p> <div class="img-box"> <img src="https://www.f-secure.com/v-pics/swen.gif"/> </div> <p> The attachment name, subject and part of the infected message is randomly composed from text strings hardcoded in the worm's body. The fake sender's address is selected from the following parts: </p> <ul class="threecolumn-list"> <li>MS</li> <li>Microsoft</li> <li>Corporation</li> <li>Program</li> <li>Internet</li> <li>Network</li> <li>Security</li> <li>Division</li> <li>Section</li> <li>Department</li> <li>Center</li> <li>Technical</li> <li>Public</li> <li>Customer</li> <li>Bulletin</li> <li>Services</li> <li>Assistance</li> <li>Support</li> </ul> <p> The domain name for these emails is selected from the following parts: </p> <ul> <li>news</li> <li>bulletin</li> <li>confidence</li> <li>advisor</li> <li>updates</li> <li>technet</li> <li>support</li> <li>newsletters</li> </ul> <p> The domain suffix for these emails is selected from the following parts: </p> <ul> <li>ms</li> <li>msn</li> <li>msdn</li> <li>microsoft</li> </ul> <p>followed by one of the following:</p> <ul> <li>.com</li> <li>.net</li> </ul> <p> The fake recipient's address is also composed from the above shown strings, however the fake recipient's name is selected from the following parts: </p> <ul> <li>Commercial</li> <li>MS</li> <li>Microsoft</li> <li>Corporation</li> <li>Customer</li> <li>User</li> <li>Partner</li> <li>Consumer</li> <li>Client</li> </ul> <p>The subject is composed from the following parts:</p> <ul class="threecolumn-list"> <li>Current</li> <li>Newest</li> <li>Last</li> <li>New</li> <li>Latest</li> <li>Net</li> <li>Network</li> <li>Microsoft</li> <li>Internet</li> <li>Critical</li> <li>Security</li> <li>Patch</li> <li>Update</li> <li>Pack</li> <li>Upgrade</li> </ul> <p> The worm is usually attached to infected messages as an EXE file. The attachment name is randomly generated from numbers and the following parts: </p> <ul> <li>upgrade</li> <li>update</li> <li>patch</li> <li>q</li> <li>install</li> <li>installer</li> <li>installation</li> </ul> <p> For example the infected attachment name can be Q591362.EXE or UPDATE98.EXE. The IFrame exploit is not present in such messages. In some cases the worm's attachment can be in a ZIP archive. The worm can also compose fake forwarded or bounced emails from the following parts: </p> <ul class="threecolumn-list"> <li>RE:</li> <li>FWD:</li> <li>FW:</li> <li>Check</li> <li>Check out</li> <li>Prove</li> <li>Try</li> <li>Taste</li> <li>Try on</li> <li>Look at</li> <li>Take a look at</li> <li>See</li> <li>Watch</li> <li>Use</li> <li>Apply</li> <li>Install</li> <li>this</li> <li>that</li> <li>the</li> <li>these</li> <li>important</li> <li>internet</li> <li>critical</li> <li>security</li> <li>corrective</li> <li>correction</li> <li>patch</li> <li>update</li> <li>pack</li> <li>upgrade</li> <li>for</li> <li>MS</li> <li>Microsoft</li> <li>Windows</li> <li>Internet Explorer</li> <li>which</li> <li>that</li> <li>comes</li> <li>from</li> <li>the</li> <li>MS</li> <li>M$</li> <li>Microsoft</li> <li>Corporation</li> <li>Corp.</li> </ul> <p> The bodies of bounced emails can have the following text strings: </p> <ul class="threecolumn-list"> <li>Hi.</li> <li>This is the qmail program</li> <li>Message from</li> <li>I'm sorry</li> <li>I'm sorry to have to inform you that</li> <li>I'm afraid</li> <li>I wasn't able to deliver your message</li> <li>the message returned below could not be delivered</li> <li>to the following addresses:</li> <li>to one or more destinations.</li> <li>Undeliverable</li> <li>Undelivered</li> <li>message</li> <li>mail</li> <li>Message follows:</li> </ul> <p> Such emails usually contain IFrame exploit and the worm's file with PIF, BAT, COM, SCR or EXE extension and there is no Microsoft-like looking message body in them. The IFrame exploit allows the worm's attachment start automatically on older or unpatched versions of certain email browsers. </p> <h3>Payload</h3> <p> The worm terminates processes of security and anti-virus software that have the following strings in their names: </p> <ul class="multicolumn-list"> <li>_avp</li> <li>ackwin32</li> <li>anti-trojan</li> <li>aplica32</li> <li>apvxdwin</li> <li>autodown</li> <li>avconsol</li> <li>ave32</li> <li>avgcc32</li> <li>avgctrl</li> <li>avgw</li> <li>avkserv</li> <li>avnt</li> <li>avp</li> <li>avsched32</li> <li>avwin95</li> <li>avwupd32</li> <li>blackd</li> <li>blackice</li> <li>bootwarn</li> <li>ccapp</li> <li>ccshtdwn</li> <li>cfiadmin</li> <li>cfiaudit</li> <li>cfind</li> <li>cfinet</li> <li>claw95</li> <li>dv95</li> <li>ecengine</li> <li>efinet32</li> <li>esafe</li> <li>espwatch</li> <li>f-agnt95</li> <li>findviru</li> <li>fprot</li> <li>f-prot</li> <li>fprot95</li> <li>f-prot95</li> <li>fp-win</li> <li>frw</li> <li>f-stopw</li> <li>gibe</li> <li>iamapp</li> <li>iamserv</li> <li>ibmasn</li> <li>ibmavsp</li> <li>icload95</li> <li>icloadnt</li> <li>icmon</li> <li>icmoon</li> <li>icssuppnt</li> <li>icsupp</li> <li>iface</li> <li>iomon98</li> <li>jedi</li> <li>kpfw32</li> <li>lockdown2000</li> <li>lookout</li> <li>luall</li> <li>moolive</li> <li>mpftray</li> <li>msconfig</li> <li>nai_vs_stat</li> <li>navapw32</li> <li>navlu32</li> <li>navnt</li> <li>navsched</li> <li>navw</li> <li>nisum</li> <li>nmain</li> <li>normist</li> <li>nupdate</li> <li>nupgrade</li> <li>nvc95</li> <li>outpost</li> <li>padmin</li> <li>pavcl</li> <li>pavsched</li> <li>pavw</li> <li>pcciomon</li> <li>pccmain</li> <li>pccwin98</li> <li>pcfwallicon</li> <li>persfw</li> <li>pop3trap</li> <li>pview</li> <li>rav</li> <li>regedit</li> <li>rescue</li> <li>safeweb</li> <li>serv95</li> <li>sphinx</li> <li>sweep</li> <li>tca</li> <li>tds2</li> <li>vcleaner</li> <li>vcontrol</li> <li>vet32</li> <li>vet95</li> <li>vet98</li> <li>vettray</li> <li>vscan</li> <li>vsecomr</li> <li>vshwin32</li> <li>vsstat</li> <li>webtrap</li> <li>wfindv32</li> <li>zapro</li> <li>zonealarm</li> </ul> <p> The worm also doesn't allow to start files that have the above strings in their names. When such file is being started, the worm shows the following messagebox and stops execution if such file: </p> <div class="img-box"> <img src="https://www.f-secure.com/v-pics/swen4.gif"/> </div> <p>The numbers in this messagebox are randomly-generated.</p> <p> If the worm finds a debugger in a system, it shows a messagebox with the following text: </p> <ul> <li>Try to pull my legs?</li> </ul> <h3>Infection counter</h3> <p> The worm keeps its own counter on a certain webpage. Every infected computer tries to access that page and that increases the counter there. By the time of this description creation (18th of September 20:00 GMT) the counter value was over 510000, but we believe that this is not the actual number of infected computers. </p> <h3>Variants</h3> <h3>Swen.B</h3> <p> This minor variant was found on 9th of October, 2003. It has been created by compressing the original virus with UPX. This has shrunk the virus from 106496 bytes to 52224 bytes, making it undetectable to some antivirus programs. In addition, many references to Microsoft in the original virus have been changed to references to Tiscali, an Italian ISP. </p> <p> F-Secure Anti-Virus detected this modified version of the virus without any need for updates. </p> <h3>Swen.C</h3> <p> This minor variant was also found on 9th of October, 2003. Like the previous variant this one is also compressed with UPX file compressor. The packed file size is 52224. </p> <p> Swen.C has a bit different set of text strings mentioning both Tiscali and Microsoft and also the name of Tiscali's CEO Renato Soru. A few Tiscali links that were present in the B variant were slightly modified. </p> </div> </div> </div> </div> </section> <section id="more"></section> </div> <footer id="footer"></footer> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10